Skip to content

Scheduling a Targeted Certification

Targeted Certifications are the most flexible type of certification. In a Targeted Certification you can certify role, entitlement, and account access for a narrowly defined set of identities. The Targeted Certification gives you a high level of flexibility in choosing which parameters to include in the certification, such as who, what, and when to certify.

  • Targeted Certification: Who to Certify(LINK IN DOC)

  • Targeted Certification: What to Certify(LINK IN DOC)

  • Targeted Certification: Choose Certifier(LINK IN DOC)

  • Targeted Certification: Schedule(LINK IN DOC)

  • Targeted Certification: Additional Settings(LINK IN DOC)

Targeted Certification: Who to Certify

To narrow down the identities to certify, choose an option for selecting identities. To certify all identities in your system, do not define any selection criteria.

Filter Identities

Use filters to define the identity list for the certification. You can filter identities by attribute, using operations like Equals, Not Equals, or Starts With. You can choose the values for the filter from a list, or type them in. You can only type in valid values.

You can choose more than one value for any one filter. When you do this, the criteria works as an "or" operation, so the certification will include all identities meeting any of the criteria. For example, filtering on Department Equals and entering two departments will select identities from both those departments.

Add more filters if you want to filter on more than one attribute using an "and" condition. With multiple filters, identities have to meet each of the sets of filter criteria in order to be included. For example, filtering on Department Equals Accounting and Location Equals Berlin will select only identities that are in the Accounting department in Berlin.

Access reviews for Service or RPA / Bot identities are sent to the certifier specified during your configuration process.

Population

Choose from the populations that have been defined in your IdentityIQ system. Populations are saved queries based on searches run from the Identity Search feature of Advanced Analytics. See Advanced Analytics(LINK IN DOC).

Rule

Choose a rule that will select identities. The Targeted Certification does not include a rule editor, so you are limited to choosing existing rules from the list. Only rules with a rule type of CertificationScheduleEntitySelector are included in this list.

Exclude Inactive Identities

Check this to omit identities flagged as Inactive at the time the certification is generated. For recurring certifications, future occurrences will reflect any changes that have happened since the last certification was generated, including identities that have become inactive.

Targeted Certification: What to Certify

This section lets you narrow the focus of the certification by defining which elements of accounts, roles, entitlements, and target permissions to include.

For Roles / Entitlements, you can add more criteria that is specific to entitlements:

  • Check Additional Entitlements to include entitlements that are not contained in a role. If you check this option, you can also add filtering criteria to choose the entitlements to include.

  • Check Include Accounts without Entitlements to include accounts that have no entitlement attributes.

  • Check Target Permissions to include the actions a user can perform on an Unstructured Target such as a file share or folder.

Adding Filters

You can filter the Roles/Entitlements or Accounts to include in the certification, using operations like Equals, Not Equals, or Starts With. You can choose the values for the filter from a list, or type them in. You can only type in valid values.

You can choose more than one value for any one filter. When you do this, the criteria works as an "or" operation, so the certification will include all entities meeting any of the criteria. For example, filtering on Owner Equals and entering two identities will select roles / accounts owned by either of those identities.

Add more filters if you want to filter on more than one attribute using an "and" condition. With multiple filters, entities have to meet each of the sets of filter criteria in order to be included. For example, filtering accounts on Service Account Equals True and Application Equals Active_Directory will select only service accounts on the Active Directory application

Select Attribute

Select a role / entitlement attribute from the dropdown list.

Operator

Select an operator from the dropdown list for this attribute.

Value

Select a value from the dropdown list. The values available are dependent on the attribute and operator selected. You can enter text in the value field for some types of attributes, to help find the value you want; only valid values are supported.

Other Options

Include Policy Violations

Policies are rules that enforce your enterprise's business policies on separation of duty, activity, and risk. Violations of those policies can be included in the access reviews generated by the certification.

Exclude Logical Tier Entitlements

Logical applications are applications formed by the detection of accounts from other applications, called "tier" applications, in existing Identity Cubes. Use this option to exclude entitlements on tier application accounts from the certification. This applies only to logical applications, which are applications formed by the detection of accounts from other applications, called "tier" applications, in existing Identity Cubes.

Filter Logical Application Entitlements

Allow logical entitlements defined on the logical application's managed entitlement list to be included in the certification. Any logical application entitlements are filtered from the tier application entitlements.

Include IdentityIQ Capabilities

Capabilities control access to pages, tabs, and fields within IdentityIQ. Use this option to include IdentityIQ capabilities in the certification.

Include IdentityIQ Scopes

Scopes are used to restrict access to objects in IdentityIQ. If scoping is enabled in your implementation, use this option to include scopes in the certification.

Targeted Certification: Choose Certifier

Use the Choose Certifier section to configure who will perform the certification by reviewing and deciding on access.

Targeted certifications are designed to enable you to get very specific on the certification scheduling page to select exactly who should be the certifier for the certification. Tools are provide that eliminate the need to reassign certifications. This design provides the flexibility of rules from the user interface so that you can schedule certifications without having to write rules.

If required, reassignment can be performed by specifying a Certifier type rule in the Primary Certifier field. For example, if the certifier should be a manager except if the target identity is a manager themself or has no manager, a Certifier type rule can contain the following:

 import sailpoint.object.Identity;
      Identity target = entity.getIdentity(context);
      if (target.getManagerStatus() || (target.getManager() == null)) {
          return "spadmin";
      }
      return target.getManager().getName();

Pre-delegation rules can still be used to support the Delegation and Forwarding of access reviews, but any reassignment components are ignored. Pre-delegation rules are set in the Targeted Certification: Additional Settings(LINK IN DOC) section.

Primary Certifier

Choose the Primary Certifier for the access reviews.

Manager

The manager of each identity will act as the primary certifier for that identity. A backup certifier is also required.

Owner

For Roles, the role owner always acts as the primary certifier. For Additional Entitlements, you can choose from the Application Owner or the Entitlement Owner as the primary certifier. A backup certifier is also required. Pre-delegation rules do not support reassignments in the Targeted Certification. Use the Primary Certification field in a Certifier type rule for reassignment

Rule

Choose the certifier using a rule. The Targeted Certification does not include a rule editor, so you are limited to choosing existing rules from the list. Only rules with a rule type of "Certifier" are included in this list. A backup certifier is also required. If you want to use a rule to manage reassignments, use a Certifier Rule here to control reassignments rather than a pre-delegation rule; pre-delegation rules do not support reassignments in the Targeted Certification.

Single Certifier

Choose an identity or workgroup who will be responsible for the access review. You have the option to add a backup certifier, but a backup certifier is not required.

Backup Certifier

A Backup Certifier is required for all types of Primary Certifier except single certifier. The Backup Certifier is the user or workgroup that will be assigned the review if the Primary Certifier can not be identified (for example, in a manager certification when an identity does not have a manager assigned).

Advanced Options

Reassignments

With reassignment, you can pass individual line items or an entire identity to another user to review. The person the items are reassigned to assumes complete responsibility for all decisions on those items, and must sign off on those decisions themselves.

Enable Bulk Reassignment

Allow reviewers to reassign multiple items simultaneously within an access review.

Limit Reassignments / Reassignment Limit

Limit the number of times reviewers can reassign an item in the access review. If you opt to limit reassignments, include the number of reassignments allowed.

Require Reassignment Completion

Require the completion of all reassigned reviews before the parent review can be completed.

Return Reassignments to Original Access Review

When a reassigned review is signed off, return the reassigned review to the original access review owner. When items are returned, the original owner can modify the decisions the reassigned reviewer has made.

Automatically Sign Off When All Items Are Reassigned

Allow the access review to be automatically signed off when all items in the access review are reassigned. This option can only be enabled if the Require Reassignment Completion and Return Reassignments to Original Access Review options are not enabled.

Self Certification

Allow self certification for

Choose which users may self-certify -- that is, be the certifier for their own access, either by forwarding or reassigning an access review: All certifiers, Certification and System Administrators, or System Administrators only

Self Certification Violation Owner

For users that are not allowed to self-certify, this is the identity or workgroup that will receive any items that would require a self-certification - that is, when the reviewer and the user whose access is under review are the same person. If a Self Certification Violation Owner is not specified, any items that require self-certification will be read-only to the reviewer.

Other

Prompt for Sign Off

Display an overlay prompting reviewers to sign off, when the access review is complete.

Require Electronic Signature

Require an electronic signature as part of the sign-off process. Reviewers use their IdentityIQ login as authorization for the electronic signature.

Electronic Signature Meaning

If you choose to require electronic signature, choose the meaning (the text that goes with the electronic signature) from the list. Electronic signature meanings are defined in Global Settings > Electronic Signatures.

Automatically Sign Off When Nothing to Certify

If the access review contains no items, allow the review to be signed off automatically with the assigned reviewer's credentials. This sign-off occurs even if there are subordinate access reviews.

Suppress Notification When Nothing to Certify

Do not send a notification email when the assignee has nothing to certify.

Sign Off Approval Rule

A rule can determine if any additional review is needed on the Sign-Off decision. If you enable this option, you also choose the rule to run after initial sign-off by the reviewer, and a Sign Off Approval Notice Email Template. The rule determines if the decisions need to be reviewed by another approver. If so, the user is notified via email using the email template, and the certification request is sent to that user's inbox. This process is repeated until no more reviewers are discovered by the rule. The Targeted Certification does not include a rule editor, so you are limited to choosing existing rules from the list. Only rules with a rule type of CertificationSignOffApprover are included in this list.

Bulk Reassignment Modification Notices

Choose the email template to use to send bulk reassignment notices.